Recent searches
No recent searches
Troy Johnston
Joined Oct 22, 2021
·
Last activity Mar 23, 2023
Following
0
Followers
0
Total activity
28
Votes
9
Subscriptions
11
ACTIVITY OVERVIEW
BADGES
ARTICLES
POSTS
COMMUNITY COMMENTS
ARTICLE COMMENTS
ACTIVITY OVERVIEW
Latest activity by Troy Johnston
Troy Johnston commented,
Salvador Vazquez Please can we re-issue your update without the jargon to ensure all parties internationally are understanding you.
EAP? Extensible Authentication Protocol? - cant see relevance
Some may not understand GA.
H2? Please provide month or date. Sorry this must be a US terminology.
Please lift your game Zendesk. People have been waiting a long time for this obvious weakness. Clear commitment and communication is what we seek.
View comment · Edited Mar 23, 2023 · Troy Johnston
0
Followers
2
Votes
0
Comments
Troy Johnston commented,
Hello Barkha,
I emailed straight back, but perhaps it didn't get through. Yes - please setup the zoom. I understand you're the PM. I would certainly appreciate any attendance with us from IT Security or Architecture within the discussion.
Please let's communicate moving forwards not via a public forum.
Regards,
View comment · Posted Dec 28, 2022 · Troy Johnston
0
Followers
0
Votes
0
Comments
Troy Johnston created a post,
Hi Zendesk,
I have requested a conversation directly with your IT Security or Enterprise architecture team. Please have them contact me directly.
2FA has been poorly implemented. Business software should not permit users to have control over whether to use 2FA each login or not. That is a decision of each company administrator.
Will Zendesk re-consider and take action on this yourselves?
A very simple fix - provide admin the ability to set default on user ability to disable any trust by user to their device for 30 days. Hence permit admin to lock this as "None" so that the sessions will expire as per the other 2FA settings.
It is interesting that Zendesk think of IT security as simply a 'feature' and not a mandatory component. Users will never upvote IT security in comparison to bells n whistles features.... right now there is extreme risk to being hacked or otherwise breached.
Right now the implementation provides some misleading assurance of being secure and using sessions. The current implementation does leave Zendesk open to potential legal action I would believe should Personally Identifying (PI) or sensitive data be stolen via a breach.
This would be straight-forward to remediate by implementing the common design that permits admin to enforce 2FA.
Please note that as a very small company we do not have intention or capability to implement SSO. However we do have copies of PI and possibly sensitive information within our tickets and we do take information security seriously and would like to see Zendesk make an uplift here to properly secure your 2FA design - for everyone's benefit.
I'd like to see Zendesk take the lead here.
There have been other requests on this same question for 12 months without action. Please do not leave IT Security for a popular up-vote before acting.
It is so important.
Regards,
Troy
Posted Dec 18, 2022 · Troy Johnston
2
Followers
4
Votes
2
Comments
Troy Johnston commented,
Hi Caroline,
It is interesting that Zendesk think of IT security as simply a 'feature' and not a mandatory component. Users will never upvote IT security in comparison to bells n whistles features.... right now there is extreme risk.
It is not a great answer though, Zendesk. Sincerely the 2FA implementation is flawed. 2FA in a business context is meant to be implemented as a scheme that permits administrators to make the use of this mandatory.
The current implementation does leave Zendesk open to potential legal action I would believe should Personally Identifying (PI) or sensitive data be stolen via a breach.
This would be straight-forward to remediate by implementing the common design that permits admin to enforce 2FA.
Why will Zendesk not consider and take action on this yourselves?
It would be a relatively simple change to lock down the user screens to no longer permit the 30 day 'trust'.
Please note that as a very small company we do not have intention or capability to implement SSO. However we do have copies of PI and possibly sensitive information within our tickets and we do take information security seriously and would like to see Zendesk make an uplift here to properly secure your 2FA design - for everyone.
I'd like to see Zendesk take the lead here.
Regards,
Troy
View comment · Posted Dec 16, 2022 · Troy Johnston
0
Followers
3
Votes
0
Comments
Troy Johnston commented,
Hello. As 2FA Session management has not been securely implemented (to mandate users must use 2FA with every login event) I would like to establish an automation to achieve:
At 7pm each night - destroy all active sessions.
Can you please provide guidance to this.
- I have established a webhook that calls the Sessions API and is authenticated via token.
- How to build the automation that is preferably time dependant. I imagine the logic will need to be something like: Loop through all open sessions - destroy each active session.
I am not a developer, and at this time I can't see how to achieve this in automation. Please do provide some detailed guidance - especially given the 2FA implementation is not secure.
Thanks,
View comment · Posted Dec 13, 2022 · Troy Johnston
0
Followers
0
Votes
0
Comments
Troy Johnston commented,
Hi Christine, Zendesk,
This is a significant security flaw in Zendesk implementation of 2FA. 2FA ought to be bundled with ability for administrator to mandate use of 2FA with every login event. Leaving this up to the user breaks our security rules (and we are just a tiny company).
This leaves us exposed to hacking.
What we dont understand is the Sessions can clearly be set to expire.... and yet this does not sign out the user? Or properly kill the session. The implementation is flawed, unfortunately.
Will Zendesk take this seriously and implement an Admin enforcement? This should never be a user decision.
View comment · Posted Dec 12, 2022 · Troy Johnston
0
Followers
5
Votes
0
Comments
Troy Johnston commented,
Why then am I being informed my migration/upgrade will be automatically processed in early August?! I understood this was not required. As per Nikki above - we use email only - and I can only see a negative impact to our team by this change. (Why are messages now located with the latest at the bottom?!) - There must be a configuration available for us to flip this as this will have a huge impact on us.
Please help.
View comment · Posted Jul 14, 2022 · Troy Johnston
0
Followers
1
Vote
0
Comments
Troy Johnston commented,
Agree with all
Christopher Reichle has honestly excellent points and well summarised the larger picture of feature request management practice and process by design.
@... please dont take his comments personally. I found his submission to be respectful, thoughtful, transparent, trusting and honest from his perspective.
I do agree the evidence on this request and a range of others demonstrate that the ZD process of gathering customer feedback and decision making on features to enter the approved backlog to warrant improvement.
I do hope ZD will incorporate change in this area.... be agile, be daring and be communicative to your customer's requests.
View comment · Posted May 29, 2022 · Troy Johnston
0
Followers
3
Votes
0
Comments